(s//si//rel) What Your 

Mother Never Told 
You About SIGDEV 
Analysis^^^^^^^ 

SSG21 Net Pursuit 
Network Analysis Center 


Derived From: NSA/CSSM 1-52 
Dated: 20070108 
Declassify On: 20370401 





(U//FOUO) What have I learned in 
my first two years in 


(U//FOUO) Iffiphttant to understand the data that 
you are searching against 


(S//SI//REL) Important to understand the hidden 
treasures and nuances in various SIGDEV tools 


(U//FOUO) Nothing is 100%: there are always 
exceptions to the tools and the rules 

(S//SI//REL) Took a network view of VPNs 




— - 

(TS//SI//REL)What Makes 
SIGDEV Analysis Challenging? 

(U//FOUO) Requires knowledge of. 

^ (s//si//rel) Access and collection 
^ (s//si//rel) Network protocols 
" (s//si//rel) Routing 
" (ts//si//rel) Encryption 


TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 






(U//FOUO) Challenges etc.... 


(TS//SI//REL) Technical jargon and abbreviations 
^ IPSEC 
^ IKE 
=* MPLS 
=* PSK 
=* PPTP 
=* L2TP 
^ GRE 

Cisco commands 




(TS//SI//REL)Challenges etc. 


(S//SI//REL) Tools 

=■ How to use them 

^ Knowing that they exist 

31 Multiple query languages 
=■ SQL for TOYGRIPPE 

= Oracle Text Query in DISCOROUTE 
=■ Quantity 




(U//FOUO) Tools 

DISCOROUTE 
BLACKPEARL 
^ TOYGRIPPE 
GNETWORK GNOME 
=* NKB & RONIN 
XKEYSCORE 
TREASUREMAP 
=• RENOIR 
....and more.... 


TOP SECRET//COMINT//REL TO 


., AUS, CAN, GBR, NZL 





'TS//SI//RED Building Network 

BLACKPE^CKPEA^ now|edge 


TOYGRIPPlP YGRIPPE 


XKEYSCO^ EYSCORE 


Maximize the overlap of the tools for 

success 










(S//SI//REL) 

DISCOROUTE 

NAC's router configuration database 
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(U//FOUO) DISCOROUTE 


(C) NAC project to acquire, parse, database 
and display configuration files from network 
devices 

(C) Allows analysts to mine device configs for 
SIGDEV discovery 

Router configs are a rich source 

Qjf 

network and VPN information 










(S//SI//REL) DISCOROUTE 


^fs^>l?/REL) All IPs are^mportant because they all 
belong to a device and they all have a purpose in 
the network 


(S//SI//REL) Search for 
Endpoint IPs 
Loopback IPs 

Opposite end of a point-to-point connection 

IPs found in pings and telnets 

(S//SI//REL) Make note of the source and 
destination IPs of the config 




(U//FOUO) DISCOROUTE 

(U//FOUO) Cou parches 

(U//FOUO) IP Search 


(U//FOUO) Text Query 
(TS//SI//REL) Manifest Tag Selection 
K - Crypto Keys 
^ H - TAO Pop 
M - Multihop 
(S//SI//REL) VPN report 




(S//SI//REL) DISCOROUTE: Country 

Search 

(S//SI//REL) IPGeo lookup on every IP address 
that is parsed 

(S//SI//REL) Configs with only private IPs will 
not show up in the results of a country search 





(s//si//rel) DISCOROUTE: Searching for IP 

(S//SI//REL) TextAtiery 10 

=* searches through the payload 

=* If you only search using this field, then you will miss 
=* configs that have your IPs of interest as the source and 
destination address 

=* configs where your IP falls within the range of the interface mask 

(S//SI//REL) IP address field search 

=* searches through the parsed file 

=* If you only search using this field, then you will miss configs with 
your IPs of interest in pings, telnets, arp commands 




^fS//5^/REd DISCOROUTE Search IFeb 

to 13 Apr: 


(S//SI//REL) 



in the payload 


=■ 3 results 

(S//SI//REL) IP Address Search: searching for the IP in the 
parsed file 

=■ Exact IP search 
=■ De-duped by most recent 

=■ 28 results (27 had as the source IP) 

(S//SI//REL) Somalia Country search: 66 results 
(12 of those had a source IP 


(S//SI//REL) Difference: IP was the source IP for configs more 
times than it occurred in the payload data 





(s//si//rel) Why fewer configs for 

' n the country 

search? 

=■ (S//SI//REL) 12 as opposed to 27 

^ (S//SI//REL) Geo location 
was Hong Kong for a period of time 

(S//SI//REL) Geo is assigned to router configs 
at the time of ingest and not changed if the IP 
location is corrected 





(S//SWREL) Data Found in a Text Query: 

etwork IPs in a Huawei Config 


Current total sessions : 19 

udp VPN: public -> public I 




Inner IPs 





(s//si//rel) DISCO ROUTE 


(TS//SI//REL 




the router 


(S//SI//REL) M - multihop router. The admin telnetted 
into a router and then telnetted again to another 
device. Potential goldmine of information about your 
network, but be careful when looking through them to 
make sure you are associating an IP with the correct 
device. 


(TS//SI//REL) K - crypto keys 




(s//si//rel) VPNs in Router 
Configs 

(ts//si//rel) DISCOROUTE sets manifest tags to 
'K' for configs with crypto information 

(s//si//rel) Separate parsers developed for each 
vendor to pull out the endpoints and the pre¬ 
shared keys 

^ Cisco 
Huawei 
Juniper 




^ _ > 

^s/zswpiel) VPN Information in a Cisco 

(S//SI//REL) Endpoint(EOFffkfJand Description Fields 

crypto isakmp key VpnsAreCool address 
crypto map VPNS-ROCK 10 ipsec-isakmp 

interface Tunnell 

description Tunnel TO theStars 
bandwidth 512 
address 

ip tcp adjust-mss 1350 
load-interval 30 keepalive 5 2 
tunnel source 
tunnel destination 
crypto map VPNS-ROCK 
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(s//si//rel) VPN Information in a 

(S//SI//REL) Netstripgj^U^rrp^s>£NMP Community & 

DomainAlames 

Username deb privilege 5 password 7 
082C495A0C1617 

snmp-server community dancer RW 70 
snmp-server community tangosnmp RW 60 


ip domain name lifesabeach 





s//si//rel) VPN Information in a 


# ike proposal 60 authentication-a 

# ike peer e — More —.[42D .[42 1 
exchange-mode aggressive pre-shared-key GoHokies 
ike-proposal 60 

undo version 2 
local-id-type name 
remote-name svn 
remote-address 

remote-address authentication-address 
nat traversal 

# ipsec proposal GoHokies 

# ipsec policy helloworld 60 isakmp 
security acl 3060 

ike-peer proposal GoHokies 

# interface Virtual-Templatel — More —-.[42D .[42D 
ip address 

remote address pool 1 

# interface GigabitEthernet0/0/0 

# interface GigabitEthernet0/0/l 
description GigabitEthernet0/0/l Interface 

a ress 

ipsec policy helloworld 


Htiawei Config 










(s//si//rel) VPN Information in a Juniper 
Config 

set ike gateway "BadguyVPN" addressMain outgoing-interface "untrust" preshare 
"xGe7YOYfNx3DNGsp4GCq+fgCdondsCBQtVwo/3YfCvbR7zJyDUewVD4=" proposal "pre-g2-3des-sha" "pre-g2- 
3des-md5" 

set ike gateway "BadguyVPN" cert peer-ca all 

set ike gateway "BadguyVPN Backup" addressMain outgoing-interface "untrust" preshare 
"YWZpKbUvNGQvCbsiXdCwv3pxRDnl_EAxo9877SfJFLBgg9utCdSyYPPI = " proposal "pre-g2-3des-sha" "pre-g2- 
3des-md5" 

set ike gateway "To Mouse" addressMain outgoing-interface "untrust" preshare 
"fn3VG5ElNI + amHsDeyChciqYVHnuTsbj4w= = " proposal "pre-g2-3des-sha" 

set ike respond-bad-spi 1 

set vpn "BadguyVPN" gateway "BadguyVPN" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha" 
set vpn "BadguyVPN" monitor optimized rekey 
set vpn "BadguyVPN" id 5 bind interface tunnel.3 

set vpn "backup BadguyVPN" gateway "BadguyVPN Backup" no-replay tunnel idletime 0 proposal "nopfs-esp- 
3des-sha" "nopfs-esp-3des-sha" "nopfs-esp-3des-sha" "nopfs-esp-3des-md5" 

set vpn "backup BadguyVPN" monitor optimized rekey 

set vpn "backup BadguyVPN" id 4 bind interface tunnel.1 

set vpn "From Rat" gateway "To Mouse" no-replay tunnel idletime 0 proposal "nopfs-esp-des-md5" 
set vpn "From Rat" monitor optimized rekey 
set vpn "From Rat" id 6 bind interface tunnel.2 
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(s//si//rel) VPN Report Search 


(S//SI//REL) Some of the fi 



hat you can search 


in... 

=■ Country 
IP Address 

SIGAD/Case Notation 
^ Descriptions: crypto map and interface 
=■ Netstrings: Username, Domain Name 
=■ Pre-shared keys 
=■ Device Hostname 
^TAO Project Name 




i f i j.1 *1 a 4 r/i«(»] a 11 si m ai m ii : wn n :<j] 





(S//SI//REL) DISCOROUTE VPN 



fcftwntfe Rnv«*J 


Query Reports 


VPN Report Form 
y Query || Results 


"Click to 

Network Mgmt Query Wiki Feedback 

=j 



n rf 


aster text sty 



NKB HOME 


Second levet 


Route Reports 


Date 1 1 1 1 1 VJ 1 V— V V*- 1 

IP Address - - 

2012-03-14 OOlOOlOtf’ pQJJ ^ |^j | 0 0 | 

End Date: 2012-04-13 23:59:59 

® DOI O Load Date O Entire Database Fifth IGVGI 

IP Address: 

(1.2.3.4) 

□ Tunnel Source □ VPN Source 

□ Tunnel Dest □ VPN Remote 

□ Interface 


Hostname: 

SIGAD: 

Case: 

Country: 

TAO Project Name &: 
Session ID: 


Pre-Shared Keys: 
Snmp Community: 
Interface Descr: 
Crypto Descr: 
Username: 
Domain Name: 


Generate Report Generate Report in New Window Clear Panel 


Powered by the SIGDEV Lab 

Version Number: 2.17 New! 

|\|Af Last Modified Date: March 28 , 2012 
- Last Reviewed D ,0 ' ,ni ' 


Content Steward! 
Page Publisher: j 


i f i j-i u * r/if] a 11 ^ m ai m : wn :i 









































TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 






Session ID: 1332289408998 


Hostname Vendor 

Sigad 

Case Notation 

Collection Source 

Country TAO Project 

TAO Pop 

IBL_Baghdad_Router cisco 

USJ-759A 

E9BDJ00000M0000 

XKeyscore 

[lb 

No 


Interfaces 


Interface ID 


Network Mask Description 

LoopbackO 


255,255,255,255 Voice traffic 

FastEthernetO/O 


255.255,255.240 Connected To ASA/Firewaii | 

FastEthernetO/1 


255.255.255,248 Connected To 2MB DSL 

Serial0/l/0 


255.255,255.240 Connected To DVB 


Tunnels 


ID Source Pest Description 

Tunnell _H - .^BTunnel TO Beirut 

[ Tunnell B; - ; '' .MTunnel TO Beirut 


VPN Peers 

ID Router IP 

Seri al0/l/0 
Tunnell 
Serial0/l/0 
Tun nell 
Serial0/l/0 

Tunnell_ 

Serial0/l/0 
Tunnell 



VPN Type 

PSKs 

Description 

lipsec 

(iblBaghdad 


lipsec 

IblvoiceVpn 


lipsec 

IblBaghdad 


lipsec 

IblvoiceVpn 


lipsec 

IblBaghdad 


ipsec 

IblvoiceVpn 


lipsec 

IblBaghdad 


|ipsec 

IblvoiceVpn 
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(s//si//rel) VPN Report 

L) Use the VPN report as a start but not as the 
final answer for VPNs from a country or a SIGAD 

(C) Query in different ways to make sure you get as much 
of the data as possible 


(TS//SI//REL) Depending on your scenario you may want to 
start with a country search, an IP range or a descriptive 
term 


VPN Peers Section contains the 
endpoint IPs for your VPN which 
can be entered into TOYGRIPPE 








(S//SI//REL) Description &Net Strings 
Searches 

(s//si//rel) Suppose you do a general VPN report 
query 

Search by country 
Search by SIGAD 
(s//si//rel) Find a VPN of interest 

(s//si//rel) Analyze the NetStrings and the 
description fields 




(S//SI//REL) NetStrings 



h(S 7/2>I//KEI_) Do a follow-on VPN report using a 
netstring specific to your network 

Snmp community string: pegasus 
Domain name: badguy.com 
Username 


=* (S//SI//REL) Search ROYALNET 

Analytics to find other netstrings related to your 
target 

Analytics to find links likely to carry your 
target's communications 





(U//FOUO) 

BLACKPEARL 


(S//SI//REL) NAC tool enabling automated DNI link and 
network characterization against survey collection 
across the SIGINT system 
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(S//SI//REL) BLACKPEARL 



ral Query 
(S//SI//REL) Customized reports 
"'VPN report 
DNI Access Essentials 
MPLS report 
Five Tuple Report 




(S//SI//REL) BLACKPEARL IP 

Interface IPs 
Loopback IPs 

Source or destination IPs of the router config 
file 

Inner network IPs 
Analyze other IPs on the link 





(U//FOUO) BLACKPEARL 


(S//SI//REL) Search 'All traffic' and include 
subchannels and tunnels if no results found 
under limited search 

(S//SI//REL) If link is identified as MPLS then 
look at the other IPs in inner labels, if present 

=• (S//SI//REL) Use BLACKPEARL for finding 
access and gathering information on your 
network 




(s//si//rel) Search for Inner 
Tunneled IPs 

(s//si//rel) Query BLACKPEARL with an endpoint 
IP 

Find other tunneled IPs - inner network IPs that 
you can do follow on searches 

(s//si//rel) Query DISCOROUTE with any new IPs 
found 

(ts//si//rel) Success: Discovered information on 
Somalia's Hormuud network 




(TS7/SI//REL) Example: Hormuud 
Network 

(S//SI//REL) Began with loopback IPs from a 
spreadsheet 

(S//SI//REL) Found configs for 2 of the 12 
loopbacks in a text query in DISCOROUTE 

and were in the payload 

but not parsed 

(S//SI//REL) Took the IPs from those configs 
and found other configs, one with hostname 
'LNS' 







(U) Example 



KPEARL hit on LNS IP 


^ Inner IPs in L2TP tunnels 

DR search for inner IPs from the L2TP tunnels 
and found more configs 

(U//FOUO) Many of the configs were multi-hop 
^ (S//SI//REL) Information compiled forTAO 
~400 IPs for over 50 devices 





T57/SI//REL) BLACKPEARL Search 



L2TP tunnel 
Number of Five Tuples 


C" I i ^Ipcef-ddress-j 
: 1 I I Vl^lNttallpUkelsr 



^s|ina^^l|essg | 


# 

Source Address 

Dest Address 

Source Port 

Dest Port 

Next Protocol 

% Packets 

# Pad 

1 



m |p\/p| * 

4527 

TCP (6) 

100.0 

43 


L2TP tunnel 

Number of Five Tuples: 6 




and Destination Address 


Source Address 



Dest Address 



Source Port 

level 
level 



Dest Port 

Next Protocol 

% Packets 

# Pad 

9101 

53771 

TCP (6) 

67.2 

39 

6006 

53779 

TCP (6) 

8.6 

5 

6000 

53059 

TCP (6) 

6.0 

'I 

6006 

53783 

TCP (6) 

6.9 

4 

6000 

53778 

TCP (6) 

5.2 

3 

6000 

53782 

TCP (6) 

5.2 

3 


L2TP tunnel 

Number of Five Tuples: 2 
# 

1 

2 


Source Address = 
24 total packets 


land Destination Address = 


Source Address 

Dest Address 

Source Port 

Dest Port 

Next Protocol 

% Packets 



23 

23 


3078 

30BO 


TCP (6) 
TCP (6) 


83.3 

16.7 


# Pad 

20 

4 


Content Steward:! 


General Support: Contact the Mission Support Team| 


Contact Us 


s iicuR, 
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"iStfstf/REL) BLACKPEARL MPLS 


7938 2SS 

♦ luplo List (label stork 1046418, 7938): 

7211 2SS 

♦ luplo List (label stack 1046418, 7211): 

6660 2SS 

♦ luplo List (label stock 1046418, 6660): 

6306 2SS 

Tuple List (label stack 1046418, 6306): 


Source Address 

Dest Address 

Protocol 

Number 

Pkt Count 


1 of 1 

7180 2SS 

Tuple List (label stack 1046418, 7180): 

8120 2SS 

Tuple List (label stack 1046418, 8120): 

631S 2SS 

Tuple List (label stack 1046418, 6315): 


Source Address 

Dest Address 

Protocol 

Number 

Pkt Count 




4 of 4 

670S 


2SS 


Ft**: 1046416 


* Tunln I 1st f label stark 1046418. 6705V 

♦ tte>t '# 0rewus ► ' ►Sgffcjht al □ c«se 
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(U//FOUO) TOYGRIPPE 


(S//SI//REL) VPN Metadata Repository 


TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 





(S//SI//REL)Building VPN Network 
Knowledge 

(S//SI//REL)VPNs are part of a larger network 

(S//SI//REL)lnner or tunneled IPs are a peek 
inside the target's network 

(S//SI//REL)Beneficial to look beyond the 
endpoints of your VPN 

(S//SI//REL)Combine information from as many 
SIGDEV databases as you can 





(U/FOUO) TOYGRIPPE 



ch 3 months at a time 


(U//FOUO) Keep going back in time if no results 
found 


(S//SI//REL) Take endpoint IPs found here and 
search in 

DISCOROUTE -- device information 
BLACKPEARL-- inner tunneled IPs 
(S//SI//REL) Country report 




(U//FOUO) T OY GRIPPE 



note of other connections to the 
IP of interest and search for them separately 

(S//SI//REL) You might not find what you are looking 
for, but it still may be important 

(S//SI//REL) Convert the target domain name to 
hex and search for it in the idData field 


^ badguy.com D 6261646775792e636f6d 
(idData LIKE '%6261646775792e636f6d') 




(U//FOUO) Endpoint IP 



separately 


)Query each IP in TOYGRIPPE 


Try to determine the importance of the 
connections 


Note other VPN connections: all IPs are 
important until proven otherwise 


(TS//SI//REL)Success: Discovered Iranian 
corporate intranet 




(S//SI//REL) Building a VPN 

Intranet: 


Izmir 


S^rching back through 

Jti “Malaysia 

toygripb£ 


Istanbul <- 



Ankara \ k & AI1 , 

i:l-l..| All branches of the same company. 
Hub was in Tehran. 



Armenia 


Tehran 


South Korea 
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. ^ 

(s/ 7 ^i//rel) Finding Suspicious VPN 

Connections 



Izmir L:|,:| ^ 


Istanbul <- 




Ankara i •„[■> ^ 



Malaysia 


:.i -i i Armenia 

„l»«*| ■1^ 


South Korea 


(TS//SI//REL)Two connections outside the target company 
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(S//SI//REL) Discovery of a Data 

Center 



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 
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(S//si//rel) Discovery of a Data 


Center 




-> 


...and when I 
search in TOY 


did a follow 
oRIPPE for 


on 

IPC. 


IF 


...I onl/ found it only established 
VPN connections to IP A 


Later discovered that IP C belonged to a data center in 

another country 



TOP SECRET//COMIN 
























(S//SI//REL) Search for other 
end of the point-to-point 

(S//SI//REL) Wha(T0\f^^r|a0ready )i|3|i/e VPN endpoints 
from a GNOME report or a TOYGRIPPE search 

(S//SI//REL) Search for that IP in the DISCOROUTE 
VPN report GUI - you don't find it 

(S//SI//REL) Try to search for the other end of what 
would be a point-to-point connection in DISCOROUTE 
to find the customer edge router 

(S//SI//REL) END GOAL: find more information about 
the network 


TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 
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(S//SI//REL) Customer Edge 
Routers 














































(U//FOUO) 


NKB and 


RON1N 

(S//SI//REL) NKB is NSA's Network Knowledge Base 
delivering target communications' DNI and 
enrichment data 


(S//SI//REL) RONIN is a device characterization 
database and one of the enrichments to NKB 
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(U//FOUO) NKB 

=* (S//SI//REL) RONIN data 

Server Analytics: VPN identified through 
application layer information in ASDF 
" Wiki: VPN Metadata in ASDF 

VPN Analytics: endpoint in TOYGRIPPE 

Router Config: new descriptive information 
coming soon to include tunnel & VPN 
information for IPs 

"'Example: Kenya VPN IP 







Interface ROUTER © 

vntRiigmi. if 

u 


Service 

Interface: ROUTER © 

IP ROUTE:Routed By 

0 


Hardware 

Interface: ROUTER © 

fait ethernet:IP 

1 • i • 1 


Service 

Interface: SERVER ffi 

vprvIKEvl 

vfc'r 

VPNtfiStt 


Service 

Interface: SERVER © 

VPN:Osco 


Hardware 

Interface: ROUTER © 

UJ 

fast ethemet:[P — 

— 

Hardware 

Interface: ROUTER (D 

unknown: IP 


Hardware 

Interface: ROUTER © 

UJ 

unknown: IP w 

t=- 


D«t«Sounr 2 Srrviir/Drvur t Type 2 Pruprrlir% C l ummrntt 


ROtilN 

Hardware 

Irate rfaceROUTER 

fast 

othom«t:IP 

count-1 

HmM serviced interface 

' on the CiSOUD^KMM^MIbOl92~. 
model "c8?C, with netmask - 

desenpbon To DSL provider''. 

jQUTEj 

2011-AuO-lol 

ROtilN 

Hardware 

Irate dace :ROUTER 

fast 

*themat:lP 

count-5 


mBUliTse'Ccsd by interface 

■cneta on the Cisc^outeyjajTje^orabol92“. 
model ”c87©“, with netmask ■ ■ and 

description ' - To DSL prov dec' 

IDuonr DlSCOf>OUTE> 

2011-Oct-12 

ROfllN 

Hardware 

Irate dace ROOTER 

unknown: IP 

count-1 


. - t . 

viced by interface 
* on the Cisco router named 

1", with netmask 

lesenpoon — To DSC provider”. 

20ii-oa-n 



<^d c 

ROtilN 

Hardware 

Irate dace ROUTER 

unknown:1P 

count-1 

•t 

>< 


INMHM 1 ' serviced by interface 

9 ... nnt+" on the Cis :o route r 
named “onbo 102”. model "c870", with netmask 

descretiO-1 DSL prcrider'' 

1 UU.T1 DISCOROUTE > 

2011-OCt-13 

ROH1N 

Service 

1 rate dace: ROUT ER 

IP 

ROUTE: Routed 
Bv 

count-1 

i 

l e 

!®s®*ipSS^^_-' ■ - «* - 

router 'BP_AGG01" 

2011-Sep-12 

ROfftiN 

Hardware 

Irwto dace ROUTER 

fast 

ethemot:IP 

count-1 

t 

ip-BBBI 

ff. 

41 206.52.139/32 wai 1 

1 **C arlEMi ■■■!■» -V‘ «n 

x1:l*:Evl 

foierd as the IP for interface 

m mi il -r n vmed "nnkmlDSf 1 

WiJflt-550 

Ah 

jalYTJC 1 

ROfJlN 

Service 

irate dace :SERVER 

vpnlKEvl 

count-50 

‘.'l 



VP«:Ci«0 

caunt*195 

RQfiin 

Service 

irate dace SERVER 

VPN:Ci*CO 

count-195 
wyg| r • •. ■ ■ • 




a 
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(U//FOUO) GNETWORK 



(S//SI//REL) Tool used to extract and correlate 
information from a variety of NAC, SSG, SSO, NTOC 
and other metadata databases 
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(s//si//rel) Keep an Eye on the Entire 
Netblock 

=* (S//SI//REL) Multiple VPNs for one 
target 

different purposes 
different clients 




(s//si//rel) GNOME Task: Private 
IP VPNs 

(S//SI//REL) Find a public IP associated with 
your private IP 

Loopback IP 
^ Another interface IP 

(S//SI//REL) Use those for your GNOME report 
and look for your private IP on the same link 

(S//SI//REL) Data presented in the VPN tab in 
GNOME report is limited 
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(u//fouo) Network 

Patterns... 


TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 






(s//si//rel) IP Patterns 

(S//SI//REL) Admins are people - lean towards 
predictability in assignment of IPs to make 
their job easier 

(S//SI//REL) IP or a combination of the octets 
could be an indication of: 
network provider 
location 

specific purpose in the network 






(s//si//rel) Client 

• Second octet indicated the network provider 



^ 20 = network provider #1 
=* 21 = network provider #2 

• Second and third octet = country 

^ 20.30 and 21.30 were the same country but different providers 

• 40 = individual target entity in that country 


(s//si//rel) Server side of the VPN: 

• Second octet indicated network provider 
^ 51= network provider #1 
^ 52 = network provider #2 
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(s//si//rel) Example #2:Network 

Patterns 

(S//SI//REL) Public IP VPN: 

Third octet = country location of this IP (three 
possible) 

Fourth octet= country location of the other side 
of the VP|\L connection 

Analyzed the opposite side of this /24 
and identified the country for 167 4th 
octet values (out of 209) D when this 
public IP connects to a private IP we 
know the country location of the private 

IP. 









(U//FOUO) Final Thoughts... 

(S//SI//REL) Just because you don't get results doesn't 

mean the answer isn't there 

=■ If you're looking for a connection from A to B and don’t 
find it, then maybe you need to look for one from A to C 
to B 

(S//SI//REL) Try the query a different way 

=■ Widen the search either by wildcarding (if permitted) or 
by selecting a different drop-down option 

=■ Enter information in a different field 




(U//FOUO)Final Thoughts.. 

(S//SI//REL) All IPs are important until proven otherwise 
^They all serve a purpose and belong to a device 

=■ Make note of what you find even if you don't know at the 
time what it means 

(S//SI//REL) Search for data even if results are unlikely 
(S//SI//REL) Don't necessarily discard dated information 




(u/7Fbuo) Final Thoughts... 

=> (U//FOUO) Understand the data that you are searching and 
what the fields in the GUI are searching for 

=> (U//FOUO) Take an iterative approach: start searches wide, 
then narrow them down, then widen back out again 

(S//SI//REL) Bounce between the different databases and use 
the tools for every aspect of your network analysis 




^ (s//si//rel) VPN SIGDEV: 
Build the network knowledge. 

(TS//SI//REL) Dig beyond paired collection, 
PSKs and persistence 

(S//SI//REL) Discovery of the inner IPs of the 
VPN is possible in ways other than decryption 

(S//SI//REL) Investigate device IPs 

(U//FOUO) Look for patterns 

(S//SI//REL) Discover the 'N' of your VPN 




(U//FOUO) Questions? 



SSG21 Net Pursuit 
Network Analysis Center 





(S//SI//REL) 
Simplifying and 
Automating VPN 


SIGDEV 


SSG22 

Network Analysis Center 





(U//FOUO) The Ultimate Goals 


=■ (s//si//rel) Integrate VPN information into 
mainstream analytic tools and knowledge bases. 

(s//si//rel) Give analysts the ability to discover, 
develop, and track known targets using VPNs. 

(s//si//rel) Give analysts the ability to discover new 
targets using VPNs. 




(U//FOUO) 


(s//si//rel) Develop new corporate VPN tool 
(DARKSUNRISE). 

=■ Joint collaboration between CES and the NAC 
Take advantage of cloud architecture. 

=" Strive to meet the needs of the entire VPN 
community. 




(u//fouo)To The Cloud! 


(s//si//rel) Data stored in MDR-2, the 
corporate metadata repository. 

Stores one year of DNI metadata. 

Enables filtering, aggregating, and transforming 
large datasets quickly. 

Manage high data volumes. 

Answer VPN questions efficiently and easily. 




{s//si//rel) What are Some of the 
Needs of the VPN SIGDEV 

(s//si//rel) Answer VPN SIGDEV questions quickly. 

Community? 

(s//si//rel) Allow SIGDEVers to spend time analyzing data 
instead of gathering and processing the data first. 

(s//si//rel) Make VPN SIGDEV more widely understood by 
simplifying and automating the SIGDEV process. 

(s//si//rel) Robust Structure 

Allow for multiple VPN and network encryption 
pAJtow/offsr incorporation of new analytics. 




(S//SI//REL) 


What are Some of the 
Questions? 

(s//si//rel) Basic Questions 
Is my target using a VPN? 

=> What are all of the VPNs from country 
BadGuyLand? 

Tell me all of the VPNs where domain = sita*. 

Tell me all of the VPNs where the vendor ID = 
Cisco. 




(S//SI//REL) 


What are Some of the 

(S//SI//REL) Specialized^ flS? 

What are all of the VPNs that are bi-directional? 

What are all of the VPNs that are paired? 

Tell me all of the VPNs (and how many) that a particular 
VPN talks to (persistent hubs/centrality). 

What are all of the VPNs that are of interest (via Target 
Network Service)? 

What VPNs are associated to a router config? 

What are all of the VPNs that are persistent? 

For which VPNs do we have a PSK? 




(S//SI//REL) 


What are Some of the 

(S//SI//REL) SyntlQ&MBg trt0#rHation 

^ What are all of the VPNs that are bi-directional, 
persistent, and of interest? 

^ What are all of the VPNs that are paired, 
persistent, and for which we have a PSK? 

^ What are all of the VPNs from country 
BadGuyLand that are paired, associated to a 
router config, and of interest? 




(U//FOUO) DARKSUNRISE 


(U//FOUO) This is a prototype GUI. 

(U//FOUO) Comingg Fall 2012 










TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 


Mozilla Firefox 


File Edit View History Bookmarks Tools Help 


/q//c:i//dpi 1 nARk^l IMRiqF 


!■ Virtual Private Network Working Group - 


RoyalNet “Prototype* 


Free Form 


!■ BLACKPEARL-Wikiinfo 


e H- 


3L* 


!| DNI Presenter-index 03 TOYGRPPE * XKEYSCORE [] dsridge 


Main Centrality Stats General Queries 


DarkSunrise 


Shadownet Filters 

-|+ SIGAD: 

-|7 CASH: 

+ Protocol: 

♦ IP Ranges: 

♦ Source IP: 

-(* Destination IP: 

+ Domain: 

♦ ExchangeTypeld: 
+ Vendorld: 

+ Country Code: 
-® FVEY Only 
4 BiDirectional 
- First Seen: 

Start: 

End: 




0 X 


- Last Seen: 
Start: 

End: 


ra'x 


a'* 


Submit 

Clear all Filters 
Gray Theme v 
Clear Cache 


SIGAD 

DS-200B 

DS-200B 

DS-200B 

DS-200B 

DS-200B 

DS-200B 

DS-200B 

DS-200B 

DS-200B 

DS-200B 

DS-200B 

DS-200B 

DS-200B 


SRI 

CASN 

PK1S011 

PK1S011 

PK1S011 

PK1S011 

PK1S011 

PK1S011 

PK1S011 

PK1S011 

PK1S011 

PK1S011 

PK1S011 

PK1S011 

PK1S011 


DYNAMIC PAGE - HIGHEST POSSIBLE CLASSIFICATION IS 

TOP SECRET//COMINT//tK//NOK}RN 


Country Domain 


M 4 Page |l [ of 3 ► H ij Checking TNS..FinishedlTFinishedlT Clear Filters 

Drilldown/Details 

NKB Location Data PPTP Details IPSec Details VipNet Details 


IP: 

CountryCode: 

CountryHame: 

City: 

Domain: 

Company: 

ASH: 

RO 

ROMANIA 

BUCHAREST 

ROMTELECOI 

ROMTELECOI 

9050 

- Destination IP 

IP: 


CountryCode: 

PK 

CountryName: 

PAKISTAN 

City: 

KARACHI 

Domain: 

TW1.COM 

Company: 

GRUPM 

ASM: 

38193 


Protocol Data Source 



4 

IPSEC 

VPN-TU 

TS//SI//RELTO USA... 


IPSEC 

VPN-TU 

TS//SI//REL TO USA... 

* 

IPSEC 

VPN-TU 

TS//SI//REL TO USA... 

4 

IPSEC 

VPN-TU 

TS//SI//RELTO USA... 

4 

IPSEC 

VPN-TU 

TS//SI//REL T 0 USA... 

4 

IPSEC 

VPN-TU 

TS//SI//RELTO USA. . 

4 

IPSEC 

VPN-TU 

TS//SI//REL TO USA... 

4 

IPSEC 

VPN-TU 

TS//SI//REL TO USA... 

S 

IPSEC 

VPN-TU 

TS//SI//REL TO USA... 

? 

IPSEC 

VPN-TU 

TS//SI//RELTO USA... 

J 

IPSEC 

VPN-TU 

TS//SI//REL TO USA... 

4 

IPSEC 

VPN-TU 

TS//SI//RELTO USA... 

4 

IPSEC 

VPN-TU 

TS//SI//REL TO USA... 


Content Steward! 


General Support: Contact the SHADOWNET Team| 


DYNAMIC PAGE - HIGHEST POSSIBLE CLASSIFICATION IS 

TOP ^PrRFT//rOMINT//TV//NOFORN 


Reports: csv html xls ren ivml Displaying 1-100 of 236 Page Size 100 


TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 





































TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 


(TS//SI//REL) 


The NKB Location Data 



File Edit View History Bookmarks Tools Help 
I' Virtual Private Network Working Group -... JSignout: User 


H DNIPresenter-index ED TOYGRIPPE * XKEYSCORE [] dsridge 

Main Centrality Stats General Queries 




DYNAMIC PAGE - HIGHEST POSSIBLE CLASSIFICATION IS 

TOP SECRET//COMINT//TK//NOFORN 


'tl C I B - Goo 


3 1 * 



Shadownet Filters 

-|+ SIGAD: 

CASN: 

-|+ Protocol: 

+ IP Ranges: 

-|+_ Source IP: 

-|+ Destination IP: 
-|+ Domain: 

-|+ ExchangeTypeld: 
-! + Vendorld: 


u x . 


a * 


□ x 


Submit 

Clear all Filters 
Gray Theme v 
Clear Cache 


SIGAD 

DS-200B 

DS-200B 

DS-200B 

DS-200B 

DS-200B 

DS-200B 

DS-200B 

DS-200B 

DS-200B 

DS-200B 

DS-200B 

DS-200B 

DS-200B 


SRI 
CASN 
PK1S011 
PK1S011 
PK1S011 
PK1S011 
PK1S011 
PK1S011 
PK1S011 
PK1S011 
PK1S011 
PK1S011 
PK1S011 
PK1S011 
PK1S011 


Protocol Data Source 



lPv4_public 

PK 

lPv4_public 

PK 

IPv4_public 

PK 

IPv4_public 

PK 

IPv4_public 

PK 

IPv4_public 

AF 

IPv4_public 

PK 

IPv4_public 

PK 

IPv4_public 

PK 

IPv4_public 

PK 

IPv4_public 

AF 

IPv4_public 

PK 

IPv4_public 

PK 



VPN-TU 

VPN-TU 

VPN-TU 

VPN-TU 

VPN-TU 

VPN-TU 

VPN-TU 

VPN-TU 

VPN-TU 

VPN-TU 

VPN-TU 

VPN-TU 

VPN-TU 


TS//SI//REL TO USA.. 
TS//SI//REL TO USA.. 
TS//SI//REL TO USA.. 
TS//SI//REL TO USA.. 
TS//SI//REL TO USA... 
TS//SI//REL TO USA.. 
TS//SI//REL TO USA.. 
TS//SI//RELTOUSA.. 
TS//SI//REL TO USA.. 
TS//SI//RELTO USA... 
TS//SI//RELTO USA... 
TS//SI//RELTO USA... 
TS//SI//REL TO USA... 


Page|l 

of 3 ► M ^ Checking TNS-.FinishedlT Finished! T Clear Filters 

Reports: csv html xls ren ivml Displaying 1-100 of 236 Page Size 100 


Drilldown /Details 

Location Data 

PPTP Details IPSec Details VipNet Details 


. Cnupra TD 

IP: 



CountryCode: 

RO 


CountryName: 

ROMANIA 


City: 

BUCHAREST 


Domain: 

ROMTELECOM.NET 


Company: 

ROMTELECOM DATA NETWORK 


ASN: 

9050 


_ [WhimtiAn TD 

IP: 

m 


CountryCode: 

PK 


CountryName: 

PAKISTAN 


City: 

KARACHI 


Domain: 

TW1.COM 


Company: 

GRUPM 


ASN: 

38193 



Content Stewardl 


General Support: Contact the SHADOWNET Teaml 


feedback 


TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 





























TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 



(TS//SI//REL) 


The IPSec Details Drilldown 



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 














































































































(TS//SI//REL) Automatic Identification 

of 


Bi rlirnrl-innnl VPN ki 


C X ftU«gl«T^r I 






































































(TS//SI//REL) Automatic Identification 
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(S//SI//REL) 
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the Target Network Service (TNS). 
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(S//SI//REL) The Centrality Tab 
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(U//FOUO) The Metrics Tab 

(s//si//rel) Count distinct VPN 
records, grouping them by one or 
more of the following attributes: 

^ SIGAD 
Source 
^ VPN Type 
Case Notation 
^ Date 
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(U//FOUO) The Ultimate Goals 


=■ (s//si//rel) Integrate VPN information into 
mainstream analytic tools and knowledge bases. 

(s//si//rel) Give analysts the ability to discover, 
develop, and track known targets using VPNs. 

(s//si//rel) Give analysts the ability to discover new 
targets using VPNs. 




(U//FOUO) Questions? 
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